The top threats to government systems, and where they're coming from

Symantec reports says Web-based attacks and persistent threats are on the rise

Editor's note: This article has been updated to correct the number of malicious code signature Symantec created in 2009 to 2.9 million.

The global government threat landscape was dominated last year by Web-based attacks and targeted, advanced persistent threats intended to quietly steal valuable information, according to the latest annual assessment by Symantec.

China was the top country of origin for attacks against the government sector in 2009, accounting for 14 percent of the total, but too much should not be read into that statistic. The apparent country of origin says little about who actually is behind an attack, said Dean Turner, director of Symantec’s Global Intelligence Network.

China’s ranking is due primarily to the large number of computers in the country, Turner said. Less than a quarter of attacks originating in China were directed at government targets, while more than 48 percent of attacks from Brazil — No. 3 on the hit list — were directed at government. This makes it unlikely that China is specifically targeting government systems.


Related stories:

Lessons from Google attack could help bolster U.S. cyber defense

Which country is most feared as a cyber threat? Guess again.


Compromised computers that are the apparent source of attacks often are controlled from elsewhere, and an attack apparently emanating from China does not necessarily mean that the Chinese government, or even anyone in China, is behind it. Attribution of attacks is notoriously difficult, and statistics do not necessarily indicate that the United States is under cyberattack by China. In fact, the United States ranked second in origin of government attacks in 2009, accounting for 11 percent.

The source of malicious traffic has more to do with available infrastructure than with politics. The highest growth in malicious activity is taking place in countries with emerging digital infrastructures, Turner said.

The Government Internet Security Threat Report is a subset of the annual global Internet threat report compiled by Symantec from data culled from 240,000 sensors in 200 countries and 133 million client endpoints, as well as from an analysis of 8 billion e-mails and 1 billion Web requests a day in 16 data centers.

The vast majority of the threats in 2009 were coming from the Web, and Web server attacks accounted for 46 percent of the top 10 attacks.

“They aren’t breaking into your network,” Turner said. “They don’t have to. You are going to them.”

The growth in advanced persistent threats, which are targeted and often sophisticated, was one of the most serious trends in 2009, according to the report. In contrast to more visible smash-and-grab attacks that steal personal information, persistent threats are intended to operate quietly, looking for and siphoning off high-value data such as software source code or other intellectual property over a long period of time.

“Aurora is a perfect example of targeted threats against the enterprise,” Turner said, referring to the breaches reported in January by Google. Aurora reportedly hit more than 100 other companies.

Because these attacks are targeted, they often rely on social engineering to deliver malicious code, which means that traditional network and perimeter defenses often are not effective. Social networking sites are a growing source of personal information used by attackers in targeting their attacks.

“Social networking sites should be of particular concern to government organizations,” the report states. Not only are they a source of targeting information, they also can be a vector for delivering malicious code.

Although the threat from such sites has been recognized, the response has not been consistent across government. Symantec noted that the Marine Corps has banned access to such sites from its network, while the Army has established guidelines for their use by soldiers and civilian employees. “To effectively manage social networking within government networks, clear policies on access to these sites is required, along with appropriate countermeasures to prevent unauthorized information from being posted,” the report states.

Other areas of concern for government include emerging technologies such as cloud computing and virtualization, in which risks and defenses have not yet been adequately identified and addressed.

The volume of malware continues to grow, and Symantec created 2.9 million new malicious code signatures in 2009, most of the signatures covering multiple instances of malware. This represented a 71 percent increase over 2008. Much of this new malware is not used in mass distribution, but in targeted one-off attacks against individual users. Because malicious code can easily be modified on the fly by automated tools, signatures are becoming less efficient for countering malware.

“Nobody can rely on signature-based detection alone anymore,” Turner said. Effective defense requires application blacklisting and whitelisting as well as behavior and reputation-based detection.

Last year, 51 percent of all code Symantec blocked based on reputation scoring was found on only one computer, which means a signature would not have been effective against it, Turner said. “If you are relying on signatures alone, you are dead.”

Reader Comments

Thu, Aug 19, 2010 Otis

The information in this document isn't focused on whether access to social networks are/are not allowed from govt/military networks. The point was the origin of the threat to government and military networks, and the information presented in the article discussing that theme is totally relevant and on target. Learn to understand some of what is being stated here, and that is that the user is STILL the weakest link in our security effort. After close to thirty years of doing IT/Information Security work for the US Govt and DoD, I am truly sick of having to watch and listen to the numerous training slides, modules, and sessions that are tailored to the morons who just don't get it. We don't have to worry about the Chinese hacking away at US govt/military networks because of the thoughtless and stupid acts done by government and military employees. Do you get the point now?

Fri, May 21, 2010

it is so easy to spoof ip addresses how can they confirm they originated in china? we blame everything on the chinese... i wonder how much of it is real and how much of it is someone's bad hunch and bias.

Tue, Apr 27, 2010

Read the M-Trends report and stop defending China. This type of reporting makes it very hard for those of us in the industry trying to help organizations in need.

Mon, Apr 26, 2010 Susan

This report cites old information. As of Early 2010, the DoD issued a policy document which the services have adopted and all services (Army, Navy, Air Force and Marines) are allowing access to social networking sites from their official military networks. Suggest the author of this article amend his reporting to state that fact....what was true when the report was written is not true now.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above